On February 27, 2018, the Supreme Court heard arguments in In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp. (Microsoft). At issue is an unsettled question concerning the territorial reach of a warrant issued under the Stored Communications Act of 1986 (SCA or the Act). The case has significant implications for electronic service providers that maintain customer data and customers whose data is stored with Microsoft and other electronic service providers, as well as broader relevance to the extraterritorial reach of U.S. law enforcement tools and techniques.

As the Fourth Amendment does not protect information voluntarily disclosed to a third party,1 Congress passed the SCA to provide privacy protections to information stored electronically by third-party service providers while providing a process by which the government can compel disclosure. The SCA authorizes law enforcement authorities to obtain a warrant to seize electronically stored information, communications, and other materials from a third party upon a showing of probable cause.2 At issue is whether a warrant issued to a domestic provider pursuant to the SCA and seeking foreign-located material is an extraterritorial application of the Act.

Case Background

In December 2013, as part of a criminal narcotics investigation being led by the U.S. Attorney’s Office in the Southern District of New York, law enforcement authorities sought and obtained an SCA warrant authorizing the search and seizure of information including emails “associated with a specified web-based e-mail account” stored by Microsoft.3 After receiving the SCA warrant, Microsoft determined that while some of the responsive information was stored on U.S. servers, customer emails sought by the warrant were stored on company servers located in Dublin, Ireland.4 In response to the warrant, Microsoft produced the U.S.-located data but moved to quash the warrant to the extent it sought the production of information or documents stored abroad.

The U.S. District Court for the Southern District of New York magistrate judge hearing the motion ruled that Microsoft must comply. After conceding that SCA warrants are obtained using the same procedures as a conventional search warrant, the judge held that an SCA warrant is a hybrid law enforcement tool, part subpoena and part warrant. As a result, while the procedures for obtaining one are similar to those used to obtain a conventional warrant, the execution of an SCA warrant operates like a subpoena because it is “served on the [service provider] in possession of the information and does not involve government agents entering premises of the [service provider] to search its servers and seize the email account” sought.5 The court reasoned that SCA warrants thus do not implicate principles of extraterritoriality any more than traditional subpoenas and the SCA warrant requiring Microsoft to produce data from foreign-located servers should be upheld.6 The district court affirmed the ruling and Microsoft appealed to the U.S. Court of Appeals for the Second Circuit.

The Second Circuit reversed. In analyzing whether the presumption against extraterritorial application is overcome by the Act, the appellate court examined the history of the SCA, as well as its purpose of “protect[ing] a user’s privacy interests.”7 Finding that “Congress did not intend[] the SCA’s warrant provisions to apply extraterritorially,”8 the appellate court reversed the district court’s decision and quashed the warrant. The government appealed to the U.S. Supreme Court.

Supreme Court Arguments

During the February 27 oral arguments, the Supreme Court grappled with how to apply the decades-old SCA, which Justice Kennedy referred to as a “difficult statute,” to modern internet-based communication platforms. Microsoft argued that because the law only applies within the United States, the company cannot be compelled to turn over emails stored abroad. According to Microsoft, because the data is stored overseas, any seizure pursuant to a warrant under the SCA would occur abroad. The government, on the other hand, argued that the conduct the SCA focuses on is the “disclosure” of the information, which would occur in the United States, and not the location where any data or information is “stor[ed].” Because the key conduct the SCA addresses is disclosure and that conduct would occur in the United States, fulfilling the warrant would not require its extraterritorial application. The government, therefore, argued Microsoft must comply because it controls the records and can access them from the United States.

Justices Ginsberg and Sotomayor appeared to focus their questioning on what conduct was required abroad for Microsoft to comply with the warrant and disclose the information. Justice Ginsberg noted that even if the production was purely domestic, Microsoft would need to take actions in the country where the emails are stored. Justice Gorsuch appeared to echo these concerns, focusing on Microsoft’s necessary “antecedent conduct,” in other words, the collection and transmission of information from Ireland to the United States.

Justices Roberts and Alito, however, challenged Microsoft’s argument. When Microsoft explained that it had previously complied with similar requests beginning in 2010 before realizing that compliance with those requests constituted an “extraterritorial act,” Justice Roberts responded that it was not the government’s fault Microsoft chose to store the items abroad. He added, “I suspect the government doesn’t care.” Justice Alito raised the concern that should Microsoft win, the United States may not be able to obtain communications even if it had probable cause for a crime committed in the United States. He appeared to consider the applicable Mutual Legal Assistance Treaty (MLAT) provisions inadequate. Under an MLAT, one country can make a formal investigation request for evidence from another country with which it has a treaty. Concerns about the sufficiency of MLATs stem from the delays often involved in using an MLAT request and the fact that the United States does not have the treaties with all countries. Justice Roberts further asked (assuming Microsoft won its appeal) whether a provider would be able to market the difficulty involved in the U.S. government obtaining information pursuant to MLAT procedures as a service to customers.

Justice Breyer raised a potential solution. In his estimation, the federal government may be able to obtain a warrant for the data under the SCA but the provider could seek judicial intervention in the event the warrant conflicted with foreign law. In response, Microsoft rephrased the issue before the Court as to whether the key conduct was extraterritorial and therefore impermissible or the key conduct was domestic and therefore the data was subject to collection pursuant to a lawfully issued SCA warrant. Justice Kennedy asked why it had to be a “binary choice between a focus on the location of the data and the location of the disclosure.”

There was also discussion of another practical solution to the challenges faced by the U.S. government to obtain electronic data and information stored outside the United States: the proposed “Clarifying Lawful Overseas Use of Data Act” (CLOUD Act), which was proposed by Senator Orrin Hatch (R-Utah) in February 2018 and has the support of a bi-partisan group of senators. The CLOUD Act would allow U.S. authorities to compel disclosure of data stored abroad and would provide an opportunity for the service provider to object and notify the host country, which may also have jurisdictional, data privacy, or other objections to the provider’s compliance with the U.S. data request. In reaching a decision in the Microsoft case, the Court may take into account that Congress is actively considering providing another means of access and implementing additional procedural requirements. Justices Ginsberg and Sotomayor’s questioning focused on Congressional efforts to resolve the issue and strike the balance between law-enforcement needs and international comity concerns.

Significance of the Case

The Supreme Court’s forthcoming decision, which is anticipated before the Court’s term concludes in June 2018, will resolve whether law enforcement authorities can use the SCA to obtain a third-party’s foreign-stored electronic information under the SCA’s warrant provision. The decision also will have implications relating to the broader question of the extraterritorial reach of U.S. process that has become increasingly unclear given recent divergent court decisions in various federal circuits. (For a fuller analysis of these cases, see Cozen O’Connor’s previous alert Microsoft: Supreme Court Decision on Jurisdiction over Foreign-Located Communications Anticipated.) If the Court holds that documents and information stored overseas are subject to collection by an SCA warrant, a warrant under the Act would function like a traditional warrant in terms of its procedure but would provide unique reach. Alternatively, a ruling by the Supreme Court that the conduct the SCA focuses on is not domestic in nature would be a decisive decision concerning the limits of document and information collection authority. Thus, the outcome of this case has significant implications regarding the bounds of law enforcement investigative efforts, users’ privacy rights, and the obligations of electronic service providers and other companies that store user data. Given the implications of this case, we will be monitoring it closely and update accordingly.

4 Microsoft, like many service providers, stores most of a user’s data as close as possible to where the customer resides to improve service. In this case, a customer’s location is determined based on the “country code” entered when the customer registered. Interestingly, Microsoft does not independently confirm the location information supplied by a customer. In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 203 (2d Cir. 2016).